Cybersecurity Wazuh Active Response

Enabling Wazuh Active Response Module

VK

Vusal Karimov

April 16, 2025

In this article, we will explain in detail what Wazuh is, what it is used for, and how it automatically removes malware that enters the system as a result of its integration with VirusTotal.

Wazuh's Active Response module is a powerful feature that allows security teams to automatically respond to threats in real-time. This article guides you through the process of enabling and configuring the Active Response module in Wazuh to enhance your security posture.

In this section, we will first build an active response mechanism on a Linux operating system, and then on a Windows operating system, by integrating Wazuh with VirusTotal. Our goal is to ensure that any malicious file that enters the system is detected in real time and automatically deleted. Here, I will use Kali Linux and Windows 11 as endpoints on Wazuh Ubuntu Server.

Prerequisites

  • A working Wazuh server (version 4.9 or higher)
  • Administrative access to the Wazuh manager
  • Basic understanding of Wazuh architecture
  • Familiarity with XML configuration files

Note: Before enabling Active Response, ensure you understand the potential impact of automated actions in your environment. Test thoroughly in a non-production environment first.

Configuration Steps

1. Locate the Wazuh configuration file

The main configuration file is typically located at /var/ossec/etc/ossec.conf. You'll need to edit this file to enable and configure Active Response.

2. Configure Active Response commands

First, define the commands that Active Response will use. Add the following configuration to the ossec.conf file: 

<command> <name>firewall-drop</name> <executable>firewall-drop.sh</executable> <expect>srcip</expect> <timeout_allowed>yes</timeout_allowed> </command>

<command>
  <name>host-deny</name>
  <executable>host-deny.sh</executable>
  <expect>srcip</expect>
  <timeout_allowed>yes</timeout_allowed>
</command>

3. Define Active Response actions

Next, configure when and how these commands should be executed: 

<active-response>
  <command>firewall-drop</command>
  <location>all</location>
  <level>7</level>
  <timeout>600</timeout>
</active-response>

<active-response>
  <command>host-deny</command>
  <location>local</location>
  <level>6</level>
  <timeout>1800</timeout>
</active-response>

4. Create custom response scripts (optional)

You can create custom response scripts to handle specific scenarios. Place these scripts in the /var/ossec/active-response/bin/ directory. 

#!/bin/bash

# Custom response script
# Save as /var/ossec/active-response/bin/custom-response.sh

ACTION=$1
USER=$2
IP=$3

LOCAL=`dirname $0`;
cd $LOCAL
cd ../

# Send email notification
if [ "$ACTION" = "add" ]; then
    echo "Active Response triggered for IP: $IP" | mail -s "Security Alert" admin@example.com
fi

exit 0;

Don't forget to make your script executable: 

chmod +x /var/ossec/active-response/bin/custom-response.sh

5. Restart Wazuh Manager

After making these changes, restart the Wazuh manager to apply the configuration: 

systemctl restart wazuh-manager

Testing the Setup

To verify that your Active Response configuration is working correctly, you can simulate an attack that would trigger a response:

1. Simulate a brute force attack

# From a test machine, attempt multiple SSH logins with incorrect passwords
for i in {1..10}; do
  ssh user@your-wazuh-agent-ip -p 22
done

2. Check Active Response logs

Monitor the Active Response logs to see if the actions were triggered: 

tail -f /var/ossec/logs/active-responses.log

3. Verify IP blocking

If you configured firewall-drop, check if the IP was added to your firewall rules: 

# For iptables
iptables -L -n | grep "your-test-ip"

# For firewalld
firewall-cmd --ipset=blacklist --get-entries

Troubleshooting

Common issues: If Active Response isn't working as expected, check these common problems.

Script permissions

Ensure that all Active Response scripts have the correct permissions: 

chmod 750 /var/ossec/active-response/bin/*
chown root:wazuh /var/ossec/active-response/bin/*

Check for configuration errors

Validate your Wazuh configuration file: 

/var/ossec/bin/ossec-logtest

Review debug logs

Enable debug mode temporarily to get more detailed logs: 

# Edit ossec.conf to enable debug
<ossec_config>
  <global>
    <debug>2</debug>
  </global>
</ossec_config>

# Restart Wazuh
systemctl restart wazuh-manager

# Check the logs
tail -f /var/ossec/logs/ossec.log

Conclusion

Enabling Wazuh's Active Response module significantly enhances your security posture by automating responses to detected threats. By following this guide, you've configured your Wazuh installation to automatically respond to security incidents, reducing response time and minimizing potential damage.

Remember to regularly review your Active Response configuration and logs to ensure it's working as expected and to fine-tune the rules based on your environment's specific needs.

Best practice: Start with conservative Active Response rules and gradually expand them as you gain confidence in your configuration.